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Our  present: 


Our  Future? 


Source:  http://us.123rf.com 
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Active  Authentication  Program  Goal 


Computers  watch  their  operators,  and  manage  their  level  of  access  based  on  the 
accuracy  with  which  they  can  determine  the  operator's  identity 


Source:  http:www.zuschlogin.com 


Source:  2. bp. blogspot.com 
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Users  are  the  weak  link... 


1? TS  =  />3  Jar?^ 
PKC  -  o 

JPfeLOypt  / <P3 /I 

tysnar/  =-  Ua/^/<P3A 


12/8/2011 


Distribution  Statement  "A"  (Approved  for  Public  Release,  Distribution  Unlimited) 


4 


How  many  passwords  do  we  really  use? 


DoD 

DARPA 

l||  Non- DoD 

Hacked 

Credentials 

1 T  Asset  Type 

Reference  System 

U  IT  Asset  Type 

on 

lost 

NIPRnet 

Windows  DMSS 

American  Honda  Motor  Co. 

27-Dec-10 

4.9m 

Laptop  Encryption 

Guardian  Edge 

•  Bank  of  America 

25-May-ll 

1.2m 

DARPAVPN 

Nortel 

Carnegie  Mellon  University 

8-Oct-07 

19k 

PDA 

Blackberry/iPhone 

Citigroup 

27-Jul-10 

30m 

SI  PRnet 

Windows  DSN 

Clarkson  University 

10-Sep-08 

245 

JWICS 

Windows  DJ  N 

•  Countrywide  Financial  Corp. 

2-Aug-08 

17m 

Source  Selection 

TFIMs,  120  BAA  Tool 

•  Fidelity  Investments 

24-Sep-07 

8.7m 

Contract  Management 

GSA  Advantage,  SPS 

Heartland  Payment  Systems 

20-Jan-09 

130m 

Contract  Invoicing 

Wide  Area  Workflow 

IBM 

15-May-07 

2k 

Payroll 

MyPay 

J  ohns  Hopkins  Hospital 

22-Oct-lO 

152k 

Benefits 

Benefeds.com 

SAIC 

7-May-08 

630k 

HR 

hr.dla.mil 

Sony 

27-Apr-ll 

12m 

Training 

DAU 

Stanford  University 

6-J  un-08 

82k 

Collaboration 

Defense  Connect 
Online 

TD  Ameritrade  Holding  Corp. 

Texas  A&M  University 

14-Sep-07 
9- Nov- 08 

6.5m 

13k 

Financial  System,  Local 

Momentum 

TJ  Max  Stores 

17-J  an-07 

100m 

Financial  System,  Agency  DFAS 

U.S.  Depart,  of  Veteran  Affairs 

14-May-07 

103m 

Credit  Union 

PFCU,  NCU,  etc. 

U.S.  Marine  Corp  -  PSU  research 

26-J  ul-07 

208k 

•  Visa,  MasterCard,  and  American 

27-Dec-10 

4.9m 

Express 

Source:  www.privacyrights.org/data-breach 
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MSNBC  News  Report: 

Cyber  attack  on  Gannet  Targets  US  Soldiers 


Hackers  broke  into  a  Gannett  Co  database  containing  personal  information  about 
subscribers  to  publications  read  by  U.S.  government  officials,  military  leaders  and  rank- 
and-file  soldiers,  the  media  company  said  on  Tuesday. 


Gannett  told  subscribers  via  email  that  it  discovered  the  breach  of  its  Gannett  Government 
Media  Corp  on  June  7.  It  said  it  had  previously  notified  subscribers  of  the  breach  via  a 
notice  on  its  website. 


The  attackers  accessed  subscribers'  names,  passwords  and  email  addresses,  the  company 
said.  They  also  obtained  data  on  the  duty  status,  paygrade  and  branch  of  service  of  some 
readers  who  serve  in  the  military. 


The  information  included  subscribers  to  Defense  News  —  one  of  the  world's  most  widely 
read  publications  covering  the  defense  industry  —  as  well  as  publications  aimed  at  soldiers 
serving  in  the  U.S.  Army,  Navy,  Air  Force  and  Marine  Corps. 


By  J  im  Finkle 

updated  6/28/2011  6:49:26  PM  ET 

Source:  www.msnbc.msn.com 
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Number  of  passwords  cracked 
by  contest  winner 


Patterns  will  always  be  hackable 


Defcon  2010  Contest  on  Password  Hacking  of  53,000  passwords 


40,000 


30,000 


Add  special  characters  or  numbers 
to  beginning  or  end  of  dictionary 
words  in  guessing  algorithm 


Add  cracked  passwords  as 
dictionary  words  to 
guessing  algorithm 


20,000 


Updated  the  dictionary  word  to  include  locally 
relevant  words  (vegas,  defcon)  in  guessing  algorithm 


10,000 


Start  with  normal  dictionary  attack 
against  6  character  passwords 


P  P  P  P  P  P  .ip  ip  ip  Sp  P  .iP  P  P  P  P  P  P  P  P  P  P  P 

.ip'  P  .ip'  .ip'  .ip'  .ip'  .ip'  P'  Jp'  Jp'  Jp  P'  P'  P'  P'  P'  P'  Jp'  Jp'  P'  Jp'  .P'  P 
yv  ^  yv  Of-  p '  pm  P"  JV‘  ^  p-  ^  pm  pm  aV  * 


^  ^  ^  ^  .ft  ^  S&  ■■  ^  fcV  (jP  A  ^ 

v  v.  v  v  rty  *y  *y  *y  *y  *y  V  •  V  v  Ay  *y  *y  *y  *y  *,y  *y 


?  ^  ^ 

& 


Source:  http://contest.korelogic.com/ 


Date/Time 

(2  hour  increments  over  48  hours) 
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Why  will  passwords  always  be  a  problem? 


Keyboard 


6tFcVbNh/'TfCvBn 


Keyboard 


R%t6Y&u8l(oOP-[ 


#QWq  EwReT  rYtU  y  I  Source:  Visualizing  Keyboard  Pattern 

Passwords,  US  AF  Academy  11  Oct,  2009 
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Solution:  Active  Authentication 


An  open  solution  that  provides  meaningful  and  continual  authentication 
to  DoD's  computer  systems  leveraging  that  which  makes  up  you 


Continuous  authentication  using: 

•  Multiple  modalities  in  a  rotating 
fashion 

•  Multiple  authentications 
initiated  each  minute 

•  Open  architecture  to  bring  in 
future  modalities 


You 


Computational  linguistics 
(How  you  use  language) 


Structural  semantic  analysis  (how  you  construct 
sentences);  Forensic  authorship 


Keystroke  pattern; 
Mouse  movement 


Fingerprint;  Iris  pattern; 

Vein  pattern;  Facial  geometry; 
DNA;  Eye  movement 


Transparent  validation  of  the  person  at  the  computer 
Without  passwords 
Without  proxies 
Without  hassle 
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Existing  Biometric  Modalities 


Current  Solutions 


Ear 

Nose  Pattern 


Physiological 

Biometrics 

Sensors  tracking  the  physical 
attributes  of  you 

•  DNA 

•  Ear  Geometry 

•  Facial  Geometry 

•  Fingerprint 

•  I  ris  Pattern 

•  Knuckle  Pattern 

•  Lip  Pattern 

•  Nail  bed  Pattern 

•  Nose  Pattern 

•  Oto-acoustic  Emissions 

•  Palmprint 

•  Retina  Pattern 

•  Skin  Spectroscopy 

•  Vein  pattern 


Retina  Pattern 

I  ris  Pattern 

Corneal 

Topography 

Eye  Movement 


Pulse 

Electrocardiogram 


Vein  Pattern 

Nail  bed  Pattern 
Fingerprint 
Palmprint 
Knuckle  Pattern 


Electroencephalogram 

Face  Geometry 
Lip  Pattern 


Keystroke 

Hand 

Pressure 

Signature 


Behavioral 

Biometrics 

Sensors  tracking  how  you 
interact  with  the  world 

•  Eye  Movement 

•  Hand  Pressure 

•  Keystroke  pattern 

•  Signature 

•  Voice 


DNA 

Voice 

Skin  Thermography 

Skin  Spectroscopy 
Odor 

Skin  I  mpedance 

Muscle  Movement 


Blue  may  be  suitable  for  continuous  monitoring 

Black  require  interrupting  the  user 
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Biometric  Identity  Modalities 


Physical  aspects  of  you 


How  you  behave  The  context  you  exist  in 


Fingerprint 


Mouse  tracking1 


Forensic  authorship2 


Type-token  ratio 


Hovering  to 
review  alt-text 


■r  \ 


|  "Ycab.  yeah.” 

Average  word  mifeiiMWTkiikfeigMAw.ikcA 

u  ^Francisco.  I — ah — 1  wa  in  Eddie’s  outfit.  Mr. 

length 

“Ye*,  sir." 

“Ray  Shaw?" 

“Yet,  lir."  \ 

“The  Ray  Shaw?  Wfto  won  the  Medal  of— * 

"Ye*.  tir.“  Raymond  cut  him  off  in  a  louder  voice.  He  felt 
like  dropping  the  phone,  the  call,  and  the  whole  soggy, 
masochistic,  suicidal  thing  in  the  wastebasket.  Better  yet.  he 
shoulder  hack  himself  over  the  head  with  the  goddam  phone. 

"Yo/i ee.  uh.  Mr.  Mavole,  I  have  to,  uh,  go  to  Washington. 

/"We  know.  We  read  all  about  it  and  let  me  say  with  all 
my  heart  I  got  left  that  I  am  as  proud  of  you,  even  though  I 
sever  met  you,  as  if  it  were  Eddie,  my  own  kid.  My  son." 

"Mr.  Mavole,"  Raymond  said  rapidly.  “I  thought  that  if 
it  was  O.K..  with  you  maybe  I  could  stop  over  in  St.  Louis  on 
my  way  to  Washington,  you  knowM-thmight  1  melt  P  |  |  n  T 1 1  1 3 1 
cuned  to  me  that  you  and  Mr*.  Mavole  might  get  soft  rUI  ILLUdl 
of  peace  out  of  it.  some  kind  of  relief,  if  we  talked  a  little  bit. 

About  Eddie.  You  know?  1  mean  1  thought  that  was  the  least 
I  could  do." 

There  was  a  silence.  Then  Mr.  Mavole  began  to  make  a 
lot  of  slobbering  sounds  so  Raymond  said  roughly  that  he 
would  wire  when  he  knew  what  Bight  he  would  be  on  and  he 
hung  up  the  phone  and  felt  like  an  idiot.  Like  an  angry  man 
with  a  cane  who  pokes  a  hole  through  the  Boor  of  heaven 
and  is  scalded  by  the  joy  that  pours  down  upon  him,  Ray¬ 
mond  had  a  capacity  for  using  satisfactions  against  himself. 


Use  of 

unique  words 


Time  over  a 
single  location 


Drifting  while 
reviewing  topics 


Double 

click 


Source:  epdeatonville.org 


Source:  google  search  for  "real  estate"  with  mouse  tracking  provided  by  Source:  The  Mancurian  Candidate,  Robert  Graves,  P2,  Amazon  Preview 

lOGraph 

1-  What  can  a  mouse  cursor  tell  us  more?:  correlation  of  2-  Quantifying  evidence  in  forensic  authorship  analysis, 

eye/ mo  use  movements  on  web  browsing,  Mon-Chu  Dr  Tim  Grant,  Aston  University,  UK  2007 

Chen,  John  R.  Anderson,  Myeong-Ho  Sohn  (all 
CMU),  31  March  2001 


Existing 

Technology 


Repurposed 

Technology 


New 

Technology 
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Layering  Modalities  -  how  it  will  work 


•  The  Active  Authentication  Platform  replaces  the  authentication  framework 
within  a  desktop  operating  system  with  a  protected  framework 

•  Ex:  winlogon  and  GINA.DLL  for  Microsoft  Windows 

•  The  user  will  identify  themselves  and  gain  access  to  the  system 

•  The  Active  Authentication  Platform  will  then  look  for  user  activity,  capturing 
biometric  information  as  it  is  available 

•  Ex: 


•  Comparing  the  mouse  when  mouse  activity  occurs 

•  Comparing  the  pattern  of  typing  when  the  keyboard  is  used 

•  Comparing  word  usage  when  documents  are  created 

•  As  system  trust  in  the  identity  of  the  user  increases,  access  to  more  critical 
systems  is  made  available 

•  When  system  trust  is  not  high  enough,  the  Active  Authentication  platform 
initiated  a  re-check  process  to  validate  the  identity  of  the  user  and  takes 
system  admin  direction  as  needed 
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Authentication  Fidelity 


Active  Authentication  Scenario 


99.999999% 

99.99999% 

99.9999% 

99.999% 

99.99% 

99.9% 

99% 


90% 


0  sec 

User  logs  in 


+ 

I 


4  sec 


At  3  sec 
Using  the 
mouse 


+ 

i 


7  sec 


Background  Authentications 

+  44  +  + 


10  sec  13  sec  16  sec  19  sec 


22  sec 


25  sec 


At  7  sec 
Typing  in 
Outlook 


18  sec 
Updating  a 
Document 


Modalities  relating  to 
how  you  behave 

Mouse  Movement 1 
Keystroke  Pattern  2 


/%  II  I  I  I  I 


Modalities  relating  to 
the  context  you  exist  in 

Forensic  Authorship  3 

Structral  Semantic 
Analysis  4 


28  sec  3i  sec 


I  i  t  il  I  I  t  I 


1  -  Mouse  Movement  (Mon-Chu  Chen,  J  ohn  R.  Anderson,  Myeong-Ho  Sohn  2001)  3  -  Forensic  Authorship  (Dr  Tim  Grant,  Aston  University,  UK  2007) 
(73-80%  True  Positive  Rate)  (80-93%  True  Positive  Rate) 


2  -  Keystroke  Pattern  (Gunetti  et.  al.,  2005) 
(94-95%  True  Positive  Rate) 


4  -  Structral  Semantic  Analysis  (de  Vel  et.  al.,  2002) 
(86-91%  True  Positive  Rate) 
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Fidelity 


Active  Authentication  Scenario  ("not  you") 


99.999999% 

99.99999% 

99.9999% 

99.999% 

99.99% 

99.9% 

99% 

90% 


0  sec 
User  logs  in 


+ 

I 


4  sec 


At  3  sec 
Using  the 
mouse 


+ 

i 


7  sec 


At  7  sec 
Typing  in 
Outlook 


y%  l 

I  I  /i  ■  ■ 


Background  Authentications 

+  44  +  + 


10  sec  13  sec  16  sec  19  sec 


22  sec 


25  sec 


28  sec 


18  sec 
Updating  a 
Document 


Modalities  relating  to 
how  you  behave 

Mouse  Movement 
Keystoke  Pattern 


Modalities  relating  to 
the  context  you  exist  in 

Forensic  Authorship 

Structral  Semantic 
Analysis 


31  sec 


t  1  1  it  t  t  t  I 


Automatic  system  re-test  to  validate  identity  to  a  threshold  set  by  No  user  interruption  until  the  system's  confidence  level  is 
system  administrator  (example  uses  99%  over  3  tests)  breached  (based  on  local  thresholds  set) 

If  it  is  breached  the  user  is  disconnected  from  all  resources 
(local  site  chooses  actions,  logged  off  or  disconnected) 
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How  do  we  measure  success? 


Phase  2 


Introduced  new  authentication  modalities 


Maximum  False  Rejections  after  five  (5)  scans 

1/week 

1/month 

1/month 

True  Positive  Rate  for  each  scan 

80% 

80% 

85% 

Usability  of  modality  within  the  population  of  DoD  personnel 

90% 

90% 

95% 

Phase  3 


Phase  1 


Note:  The  Authentication  Platform  does  not  start  until  Year  2,  and  will  be  addressed  in  a 
later  solicitation,  below  are  planned  metrics 
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Active  Authentication  Program  Plan 


2011 

2012 

2013 

2014 

Q4 

Q1  Q2  Q3  Q4 

Q1  Q2  Q3  Q4 

Q1  Q2  Q3  Q4 

Biometric  Study 

Active  Authentication 
Seedling 

Programmatic  Functions 


New 

Authentication 

Modalities 


Authentication 

Framework 


2015 


Solicitation  & 
Source  Selection 


Solicitation  & 
Source  Selection 


Certification  &  Accreditation 


Solicitation  & 
Source 
Selection 


Phase  1 

Phase  2 

Phase  3 

Phase  2 


Phase  3 


System  Testing  & 
Validation 

Commercial  I RB/ 
Human  Use  Oversight 


System  Validation  and  Verification 


Adversarial  Partner 

Testing  Review/Oversight 
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Active  Authentication  Program  focus  areas 


1.  Emerging  Authentication  Modalities: 

New  methods  for  verifying  a  user's  identity  focusing  on  software  biometrics  in  an 
office  automation  environment 


2.  Multifactor  Authentication  Integration: 

Integration  of  the  multiple  modalities  into  a  single  platform  for  authentication 
developed  in  an  open  architecture  to  allow  introduction  of  new  solutions 

Note:  The  multi  factor  authentication  integration  focus  area  does  not  start  until 
Year  2,  and  will  be  addressed  in  a  later  solicitation 

3.  System  Testing  &  Validation: 

Both  Independent  Verification  &  Validation  of  the  developed  code  and  active  Red 
Team  analysis  of  the  solution  to  ensure  the  solutions  developed  do  not  increase 
the  current  available  attack  surface 
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Phase  1  Activities 


•  The  Solicitation  is  expected  to  come  out  in  late 
November/Early  December 

•  The  Solicitation  is  currently  expected  to  be  open  for  60 
business  days 

•  Multiple  awards  are  expected  for  Technical  Area  #1 

•  Technical  Area  2  will  not  be  included  in  the  Solicitation  for 
Phase  1 

•  Multiple  awards  are  not  expected  Technical  Area  #3 
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Technical  Area  #1 

Emerging  Authentication  Modalities 


•  New  biometric  modality  studies  on  software  based  biometrics 
that  can  capture  aspects  of  the  "cognitive  fingerprint"  that  will 
be  able  to  quantitatively  their  findings  with  human  testing 

•  Expected  to  range  from  3-6  months  in  length,  but  will  all 
complete  the  end  of  Phase  1  (Q1  2013) 

•  Expected  cost  no  more  than  $500K  per  study 

•  There  will  be  a  heavy  focus  on  providing  quantitative  analysis 
of  the  new  solutions  through  testing 

•  Quantitative  analysis  will  be  required  for  performers  in  Phase  2 
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Technical  Area  #3 
System  Testing  &  Validation 


•  Provide  Red  Teaming  or  "Adversarial  Partner"  Subject  Matter 
Expertise  for  length  of  Active  Authentication  program 

•  Provide  realistic  picture  of  risk  introduced  with  the  new 
modality  approaches 

•  The  Level  of  Effort  for  this  technical  area  is  expected  to  be  low 
for  Phase  1,  with  a  significant  increase  in  Phase  2  and  3 

•  Both  Independent  Verification  &  Validation  of  the  developed 
code  and  active  Red  Team  analysis  of  the  solution  to  ensure 
the  solutions  developed  do  not  increase  the  current  available 
attack  surface 

•  IV&V  functions  do  not  start  until  Phase  2 
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Potential  Future  Applications 


Tactical  Uses 


Military  personnel  in  Mission 
Orientated  Protective  Posture 
(MOPP)  level  4  have  to  endure 
passwords  while  wearing  2 
pairs  of  gloves 


Physical  Security 


How  many  times  have  you 
forgotten  your  badge? 


Right  before  picking  up  the  "Red 
Phone"  is  not  the  time  you  want  to 
verify  your  system  access! 


N. 


Medical  Safety 


Because  of  time  constraints, 
medical  personnel  currently  have 
no  active  verification  of  proficiency 
training  or  authorization 


Mobile  and 
Commercial 


Anywhere  passwords  are  currently 
being  used  could  be  converted  to 
active  authentication  via  biometrics 
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